malwarewikiaorg-20200223-history
Phobos
Phobos, also known as Phobos NextGen or Phobos NotDharma is a ransomware that runs on Microsoft Windows. It is aimed at English-speaking users. It is part of the CrySiS/Dharma family. Phobos was first observed on October 21st, 2017. At the end of 2018, it began to spread actively again. Over the course of December 2018 and February 2019, hackers released numerous new variants, which use different emails, including Job2019@tutanota.co, Bad_boy700@aol.com, Cadillac.407@aol.com, Everest_2010@aol.com, Raphaeldupon@aol.com, paper_plane1@aol.com, barcelona_100@aol.com, elizabethz7cu1jones@aol.com, beltoro905073@aol.com, Raphaeldupon@aol.com, Gomer_simpson2@aol.com, ofizducwell1988@aol.com, and FobosAmerika@protonmail.ch. 2019 came with even more news about Phobos virus because the ransomware started exploiting weak security to attack users all over the world.[4] It also targets businesses and large companies since these attacks ensure bigger profit from a single victim. Behavior Phobos does not deploy any techniques of UAC bypass. The mechanisms Phobos uses makes it very aggressive. Payload Transmission Phobos is distibuted by hacking through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection During its execution, Phobos starts several threads, responsible for its different actions, such as: killing blacklisted processes, deploying commands from commandline, encrypting accessible drives and network shares. Phobos comes with a list of processes that it kills before the encryption is deployed. Just like other strings, the full list is decrypted on demand: msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, Those processes are killed so that they will not block access to the files that are going to be encrypted. Phobos also uses several commands from the commandline. Those commands are supposed to prevent from recovering encrypted files from any backups. First, it first deletes the shadow copies by executing the following commands: bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no Phobos then changes the Bcdedit options (preventing booting the system in a recovery mode) using the following commands: bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no After that, Phobos deletes the backup catalog on the local computer using the following command: wbadmin delete catalog -quiet Finally, Phobos disables the firewall with the following commands: netsh advfirewall set currentprofile state off netsh firewall set opmode mode=disable exit Before Phobos starts its malicious actions, it checks system locale (using GetLocaleInfoW options: LOCALE_SYSTEM_DEFAULT, LOCALE_FONTSIGNATURE ). It terminates execution in case if the 9th bit of the output is cleared. The 9th bit represent Cyrlic alphabets so the systems that have set it as default are not affected. Both local drives and network shares are encrypted. Before the encryption starts, Phobos lists all the files, and compare their names against the hardcoded lists. The lists are stored inside the binary in AES encrypted form, strings are separated by the delimiter ‘;’. Among those lists, i.e. blacklist (those files will be skipped) can be found. Those files are related to operating system, plus the info.txt, info.hta files are the names of the Phobos ransom notes: *info.hta *info.txt *boot.ini *bootfont.bin *ntldr *ntdetect.com *io.sys There is also a list of directories to be skipped which it contains only one directory: C:\Windows. Phobos is able to encrypt files without an internet connection (at this point we can guess that it comes with some hardcoded public key). Each file is encrypted with an individual key or an initialization vector: the same plaintext generates a different ciphertext. It encrypts a variety of files, including executables. The encrypted files have an e-mail of the attacker added. The particular variant of Phobos also adds an extension ‘.acute’ – however in different variants different extensions have been encountered. The general pattern is: .id-[]. Phobos encrypts the following extensions: .1cd, .3ds, .3fr, .3g2, .3gp, .7z, .accda, .accdb, .accdc, .accde, .accdt, .accdw, .adb, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .anim, .arw, .as, .asa, .asc, .ascx, .asm, .asmx, .asp, .aspx, .asr, .asx,. avi, .avs, .backup, .bak, .bay, .bd, .bin, .bmp, .bz2, .c, .cdr, .cer, .cf, .cfc, .cfm, .cfml, .cfu, .chm, .cin, .class, .clx, .config, .cpp, .cr2, .crt, .crw, .cs, .css, .csv, .cub, .dae, .dat, .db, .dbf .dbx, .dc3, .dcm, .dcr, .der, .dib, .dic, .dif, .divx, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm,. dotx, .dpx, .dqy, .dsn, .dt, .dtd, .dwg, .dwt, .dx, .dxf, .edml, .efd, .elf, .emf, .emz, .epf, .eps, .epsf, .epsp, .erf, .exr, .f4v, .fido, .flm, .flv, .frm, .fxg, .geo, .gif, .grs, .gz, .h, .hdr, .hpp .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .indd, .ini, .iqy, .j2c, .j2k, .java, .jp2, .jpc,. jpe, .jpeg, .jpf, .jpg, .jpx, .js,.jsf, .json, .jsp, .kdc, .kmz, .kwm, .lasso, .lbi, .lgf, .lgp, .log, .m1v, .m4a, .m4v, .max, .md, .mda, .mdb, .mde, .mdf, .mdw, .mef, .mft, .mfw, .mht, .mhtml, .mka, .mkidx, .mkv, .mos, .mov, .mp3, .mp4, .mpeg .mpg, .mpv, .mrw, .msg, .mxl, .myd, .myi, .nef, .nrw, .obj, .odb, .odc, .odm, .odp, .ods, .oft,. one, .onepkg, .onetoc2, .opt, .oqy, .orf, .p12, .p7b, .p7c, .pam, .pbm, .pct, .pcx, .pdd, .pdf, .pdp, .pef, .pem, .pff, .pfm, .pfx, .pgm, .php, .php3, .php4, .php5, .phtml, .pict, .pl, .pls, .pm, .png, .pnm, .pot .potm, .potx, .ppa, .ppam, .ppm, .pps, .ppsm, .ppt, .pptm, .pptx, .prn, .ps, .psb, .psd, .pst, .ptx,. pub, .pwm, .pxr, .py, .qt, .r3d, .raf, .rar, .raw, .rdf, .rgbe, .rle, .rqy, .rss, .rtf, .rw2, .rwl, .safe, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql, .sr2, .srf, .srw, .ssi, .st, .stm, .svg, .svgz, .swf , .tab, .tar, .tbb, .tbi, .tbk,.tdi, .tga, .thmx, .tif, .tiff, .tld, .torrent, .tpl, .txt, .u3d, .udl, .uxdc, .vb, .vbs, .vcs, .vda, .vdr .vdw, .vdx, .vrp, .vsd, .vss, .vst, .vsw, .vsx, .vtm, .vtml, .vtx, .wav, .wb2, .wbm, .wbmp, .wim,. wmf, .wml, .wmv, .wpd, .wps, .x3f, .xl, .xla, .xlam, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xsd, .xsf, .xsl, .xslt, .xsn, .xtp, .xtp2, .xyze, .xz, .zip Phobos uses the WindowsCrypto API for encryption of files. There are several parallel threads to deploy encryption on each accessible disk or a network share. An AES key is created prior to the encrypting thread being run, and it is passed in the thread parameter. Although the AES key is common to all the files that are encrypted in a single round, yet, each file is encrypted with a different initialization vector. The initialization vector is 16 bytes long, generated just before the file is open, and then passed to the encrypting function. Underneath, the AES key and the Initialization Vector both are generated with the help of the same function, that is a wrapper of CryptGenRandom (a strong random generator). The AES IV is later appended to the content of the encryped file in a cleartext form. Before the file encryption function is executed, the random IV is being generated. The AES key, that was passed to the thread is being imported to the context (CryptImportKey), as well the IV is being set. After the content of the file is encrypted, it is being saved into the newly created file, with the ransomware extension. The ransomware creates a block with metadata, including checksums, and the original file name. After this block, the random IV is being stored, and finally, the block containing the encrypted AES key. The last element is the file marker: “LOCK96”. Before being written to the file, the metadata block is being encrypted using the same AES key and IV as the file content. Finally, the content is appended to the end of the newly created file. Phobos uses a different algorithm to encrypt big files (above 0x180000 bytes long). The algorithm explained above was used for encrypting files of typical size (in such case the full file was encrypted, from the beginning to the end). In case of big files, the main algorithm is similar, however only some parts of the content are selected for encryption. On the following example. The file ‘test.bin’ was filled with 0xAA bytes. Its original size was 0x77F87FF. After being encrypted with Phobos, some fragments of the file has been left unencrypted. Between of them, starting from the beginning, some fragments are wiped. Some random-looking block of bytes has been appended to the end of the file, after the original size. This is the encrypted content of the wiped fragments. At the very end of the file, a block of data typical for Phobos is seen. Looking inside the reason of such an alignment is seen. Only 3 chunks from the large file are being read into a buffer. Each chunk is 0x40000 bytes long. All read chunks are merged together into one buffer. After this content, usual metadata (checksums, original file name) are added, and the full buffer is encrypted. Phobos has a separate thread dedicated to attacking network shares. Network shares are enumerated in a loop. After the encryption process is finished, the ransom note in the .hta file is popped up. The .hta file saids the following: All your files are encrypted Hello World Data on this PC runed into useless binary code To return to normal, please contact us by this email: OttoZimmerman@protonmail.ch Set topic of your message to 'Encryption ID:random characters' Interesting facts: 1. Over time, the cost increases, do not waste your time 2. Only we can help you, for sure, no one else. 3. BE CAREFUL If you still try to find other solutions to the problem, make a backup copy of the files you want to experiment on, a. play with them. Otherwise, they can be permanently damaged. 4. Any services that offer you help or just take money from you and disappear, or they will be intermediaries between us, with inflated value. Since the antidote is only among the creators of the virus PHOBOS Variants Frendi Frendi is a variant that came out at the end of February 2019. This is the first version known to researchers that haven't marked files with the initial .phobos appendix. The particular file extension that lands on encoded files include the .frendi appendix and tlalipidas1978@aol.com contact email. The same email address also included as the name of the main executable with ransomware payload. Later on, a few more .phobos versions got delivered and after that at the start of April additional Frendi virus variants with withdirimugh1982@aol.com contact email emerged. Phoenix Phoenix is a variant that also appeared in multiple versions of the virus throughout the years. Like other versions, not much changed from the initial cryptovirus, this threat included a few different contact emails in the ransom notes and file markers. autrey.b@aol.com and Costelloh@aol.com, hickeyblair@aol.com are one of those. Ransom notes resembling Dharma family and marked with PHOBOS at the corner remained the same for years, while developers only changed the contact information and IDs per victim. Actor Actor is a variant that appeared once or twice in the campaign. One of these variants found in 2019, at the start of May, contained returnmefiles@aol.com on the file extension and delivered a text file name Encrypted.txt with a few sentences, as per usual. Although, the common HTA window was not delivered, according to some victims, this version was spotted at different times the same year with the same contact information. Mamba Mamba is a variant that came out with a few distinct features and an alternate name of HDD Cryptor. This virus was more dangerous because at first, it started targeting large businesses and attacking victims to gain large amounts via ransoms up to 70 000$. This was one of the versions that exploit unprotected RDP to infect the machines. Contact emails for this particular version are known to be fileb@protonmail.com, back7@protonmail.ch. It is also known to be part of the Petya family as well. Actin Actin is a variant that targets more PC users and individual victims. This threat also uses AES algorithm for the encryption process and demands victims to contact developers via kew07@qq.com to get their files back allegedly. Acton Acton was one of the less repeated variants in the family. It delivers the same info.hta program window with the payment instructions and contact information. Acton leaves out a ransom text file. Data encrypted by the virus got extensions including datadecryption@countermail.com. Adage Adage is a variant that comes in the traditional pattern .id-1096.lockhelp@qq.com.acute. Category:Ransomware Category:Win32 ransomware Category:Win32 trojan Category:Win32 Category:Microsoft Windows Category:Trojan